antivirus profile
Create and configure antivirus profiles that can be applied to firewall policies. Antivirus profiles configure how virus scanning is applied to sessions accepted by a firewall policy that includes the antivirus profile.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
config <protocol> set content-disarm {enable | disable} end config content-disarm set original-file-destination {fortisandbox | quarantine | discard} set office-macro {enable | disable} set office-hylink {enable | disable} set office-linked {enable | disable} set office-embed {enable | disable} set pdf-javacode {enable | disable} set pdf-embedfile {enable | disable} set pdf-act-gotor {enable | disable} set pdf-act-launch {enable | disable} set pdf-act-uri {enable | disable} set pdf-act-sound {enable | disable} set pdf-act-movie {enable | disable} set pdf-act-java {enable | disable} set pdf-act-form {enable | disable} set cover-page {enable | disable} set detect-only {enable | disable} next ... |
Content Disarm and Reconstruction (CDR) is used to remove exploitable content and replace it with content that is known to be safe. The use of CDR is enabled or disabled separately for each protocol in the profile. Note that all CDR commands are only available when you set the profile's |
set extended-log {enable | disable} |
When extended UTM log is enabled, more HTTP header information will be logged when a UTM event happens. Note that the following HTTP header fields are included in extended-log: http method, client content type, server content type, user agent, referer, and x-forward-for. |
config <protocol> set outbreak-prevention {disabled | files | full-archive} next ... |
Outbreak prevention uses checksums to filter files in order to preempt and prevent quick virus outbreaks before AV signatures are created. Setting Note that |
config <protocol> set archive-block {partiallycorrupted | fileslimit | timeout | ...} set archive-log {partiallycorrupted | fileslimit | timeout | ...} next ... |
Additional options for file blocking and event logging of certain AntiVirus errors. Determine whether to block partially corrupted archives, exceeded archive files limit, and/or log scan timeout. |
config antivirus profile edit {name} # Configure AntiVirus profiles. set name {string} Profile name. size[35] set comment {string} Comment. size[255] set replacemsg-group {string} Replacement message group customized for this profile. size[35] - datasource(s): system.replacemsg-group.name set inspection-mode {proxy | flow-based} Inspection mode. proxy Proxy-based inspection. flow-based Flow-based inspection. set ftgd-analytics {disable | suspicious | everything} Settings to control which files are uploaded to FortiSandbox. disable Do not upload files to FortiSandbox. suspicious Submit files supported by FortiSandbox if heuristics or other methods determine they are suspicious. everything Submit all files scanned by AntiVirus to FortiSandbox. AntiVirus may not scan all files. set analytics-max-upload {integer} Maximum size of files that can be uploaded to FortiSandbox (1 - 395 MBytes, default = 10). range[1-25809] set analytics-wl-filetype {integer} Do not submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id set analytics-bl-filetype {integer} Only submit files matching this DLP file-pattern to FortiSandbox. range[0-4294967295] - datasource(s): dlp.filepattern.id set analytics-db {disable | enable} Enable/disable using the FortiSandbox signature database to supplement the AV signature databases. set mobile-malware-db {disable | enable} Enable/disable using the mobile malware signature database. config http set options {scan | avmonitor | quarantine} Enable/disable HTTP AntiVirus scanning, monitoring, and quarantine. scan Enable HTTP antivirus scanning. avmonitor Enable HTTP antivirus logging. quarantine Enable HTTP antivirus quarantine. Files are quarantined depending on quarantine settings. set archive-block {option} Select the archive types to block. encrypted Block encrypted archives. corrupted Block corrupted archives. partiallycorrupted Block partially corrupted archives. multipart Block multipart archives. nested Block nested archives. mailbomb Block mail bomb archives. fileslimit Block exceeded archive files limit. timeout Block scan timeout. unhandled Block archives that FortiOS cannot open. set archive-log {option} Select the archive types to log. encrypted Log encrypted archives. corrupted Log corrupted archives. partiallycorrupted Log partially corrupted archives. multipart Log multipart archives. nested Log nested archives. mailbomb Log mail bomb archives. fileslimit Log exceeded archive files limit. timeout Log scan timeout. unhandled Log archives that FortiOS cannot open. set emulator {enable | disable} Enable/disable the virus emulator. set outbreak-prevention {disabled | files | full-archive} Enable FortiGuard Virus Outbreak Prevention service. disabled Disabled. files Analyze files as sent, not the content of archives. full-archive Analyze files including the content of archives. set content-disarm {disable | enable} Enable Content Disarm and Reconstruction for this protocol. config ftp set options {scan | avmonitor | quarantine} Enable/disable FTP AntiVirus scanning, monitoring, and quarantine. scan Enable FTP antivirus scanning. avmonitor Enable FTP antivirus logging. quarantine Enable FTP antivirus quarantine. Files are quarantined depending on quarantine settings. set archive-block {option} Select the archive types to block. encrypted Block encrypted archives. corrupted Block corrupted archives. partiallycorrupted Block partially corrupted archives. multipart Block multipart archives. nested Block nested archives. mailbomb Block mail bomb archives. fileslimit Block exceeded archive files limit. timeout Block scan timeout. unhandled Block archives that FortiOS cannot open. set archive-log {option} Select the archive types to log. encrypted Log encrypted archives. corrupted Log corrupted archives. partiallycorrupted Log partially corrupted archives. multipart Log multipart archives. nested Log nested archives. mailbomb Log mail bomb archives. fileslimit Log exceeded archive files limit. timeout Log scan timeout. unhandled Log archives that FortiOS cannot open. set emulator {enable | disable} Enable/disable the virus emulator. set outbreak-prevention {disabled | files | full-archive} Enable FortiGuard Virus Outbreak Prevention service. disabled Disabled. files Analyze files as sent, not the content of archives. full-archive Analyze files including the content of archives. config imap set options {scan | avmonitor | quarantine} Enable/disable IMAP AntiVirus scanning, monitoring, and quarantine. scan Enable IMAP antivirus scanning. avmonitor Enable IMAP antivirus logging. quarantine Enable IMAP antivirus quarantine. Files are quarantined depending on quarantine settings. set archive-block {option} Select the archive types to block. encrypted Block encrypted archives. corrupted Block corrupted archives. partiallycorrupted Block partially corrupted archives. multipart Block multipart archives. nested Block nested archives. mailbomb Block mail bomb archives. fileslimit Block exceeded archive files limit. timeout Block scan timeout. unhandled Block archives that FortiOS cannot open. set archive-log {option} Select the archive types to log. encrypted Log encrypted archives. corrupted Log corrupted archives. partiallycorrupted Log partially corrupted archives. multipart Log multipart archives. nested Log nested archives. mailbomb Log mail bomb archives. fileslimit Log exceeded archive files limit. timeout Log scan timeout. unhandled Log archives that FortiOS cannot open. set emulator {enable | disable} Enable/disable the virus emulator. set executables {default | virus} Treat Windows executable files as viruses for the purpose of blocking or monitoring. default Perform standard AntiVirus scanning of Windows executable files. virus Treat Windows executables as viruses. set outbreak-prevention {disabled | files | full-archive} Enable FortiGuard Virus Outbreak Prevention service. disabled Disabled. files Analyze files as sent, not the content of archives. full-archive Analyze files including the content of archives. set content-disarm {disable | enable} Enable Content Disarm and Reconstruction for this protocol. config pop3 set options {scan | avmonitor | quarantine} Enable/disable POP3 AntiVirus scanning, monitoring, and quarantine. scan Enable POP3 antivirus scanning. avmonitor Enable POP3 antivirus logging. quarantine Enable POP3 antivirus quarantine. Files are quarantined depending on quarantine settings. set archive-block {option} Select the archive types to block. encrypted Block encrypted archives. corrupted Block corrupted archives. partiallycorrupted Block partially corrupted archives. multipart Block multipart archives. nested Block nested archives. mailbomb Block mail bomb archives. fileslimit Block exceeded archive files limit. timeout Block scan timeout. unhandled Block archives that FortiOS cannot open. set archive-log {option} Select the archive types to log. encrypted Log encrypted archives. corrupted Log corrupted archives. partiallycorrupted Log partially corrupted archives. multipart Log multipart archives. nested Log nested archives. mailbomb Log mail bomb archives. fileslimit Log exceeded archive files limit. timeout Log scan timeout. unhandled Log archives that FortiOS cannot open. set emulator {enable | disable} Enable/disable the virus emulator. set executables {default | virus} Treat Windows executable files as viruses for the purpose of blocking or monitoring. default Perform standard AntiVirus scanning of Windows executable files. virus Treat Windows executables as viruses. set outbreak-prevention {disabled | files | full-archive} Enable FortiGuard Virus Outbreak Prevention service. disabled Disabled. files Analyze files as sent, not the content of archives. full-archive Analyze files including the content of archives. set content-disarm {disable | enable} Enable Content Disarm and Reconstruction for this protocol. config smtp set options {scan | avmonitor | quarantine} Enable/disable SMTP AntiVirus scanning, monitoring, and quarantine. scan Enable SMTP antivirus scanning. avmonitor Enable SMTP antivirus logging. quarantine Enable SMTP antivirus quarantine. Files are quarantined depending on quarantine settings. set archive-block {option} Select the archive types to block. encrypted Block encrypted archives. corrupted Block corrupted archives. partiallycorrupted Block partially corrupted archives. multipart Block multipart archives. nested Block nested archives. mailbomb Block mail bomb archives. fileslimit Block exceeded archive files limit. timeout Block scan timeout. unhandled Block archives that FortiOS cannot open. set archive-log {option} Select the archive types to log. encrypted Log encrypted archives. corrupted Log corrupted archives. partiallycorrupted Log partially corrupted archives. multipart Log multipart archives. nested Log nested archives. mailbomb Log mail bomb archives. fileslimit Log exceeded archive files limit. timeout Log scan timeout. unhandled Log archives that FortiOS cannot open. set emulator {enable | disable} Enable/disable the virus emulator. set executables {default | virus} Treat Windows executable files as viruses for the purpose of blocking or monitoring. default Perform standard AntiVirus scanning of Windows executable files. virus Treat Windows executables as viruses. set outbreak-prevention {disabled | files | full-archive} Enable FortiGuard Virus Outbreak Prevention service. disabled Disabled. files Analyze files as sent, not the content of archives. full-archive Analyze files including the content of archives. set content-disarm {disable | enable} Enable Content Disarm and Reconstruction for this protocol. config mapi set options {scan | avmonitor | quarantine} Enable/disable MAPI AntiVirus scanning, monitoring, and quarantine. scan Enable MAPI antivirus scanning. avmonitor Enable MAPI antivirus logging. quarantine Enable MAPI antivirus quarantine. Files are quarantined depending on quarantine settings. set archive-block {option} Select the archive types to block. encrypted Block encrypted archives. corrupted Block corrupted archives. partiallycorrupted Block partially corrupted archives. multipart Block multipart archives. nested Block nested archives. mailbomb Block mail bomb archives. fileslimit Block exceeded archive files limit. timeout Block scan timeout. unhandled Block archives that FortiOS cannot open. set archive-log {option} Select the archive types to log. encrypted Log encrypted archives. corrupted Log corrupted archives. partiallycorrupted Log partially corrupted archives. multipart Log multipart archives. nested Log nested archives. mailbomb Log mail bomb archives. fileslimit Log exceeded archive files limit. timeout Log scan timeout. unhandled Log archives that FortiOS cannot open. set emulator {enable | disable} Enable/disable the virus emulator. set executables {default | virus} Treat Windows executable files as viruses for the purpose of blocking or monitoring. default Perform standard AntiVirus scanning of Windows executable files. virus Treat Windows executables as viruses. set outbreak-prevention {disabled | files | full-archive} Enable FortiGuard Virus Outbreak Prevention service. disabled Disabled. files Analyze files as sent, not the content of archives. full-archive Analyze files including the content of archives. config nntp set options {scan | avmonitor | quarantine} Enable/disable NNTP AntiVirus scanning, monitoring, and quarantine. scan Enable NNTP antivirus scanning. avmonitor Enable NNTP antivirus logging. quarantine Enable NNTP antivirus quarantine. Files are quarantined depending on quarantine settings. set archive-block {option} Select the archive types to block. encrypted Block encrypted archives. corrupted Block corrupted archives. partiallycorrupted Block partially corrupted archives. multipart Block multipart archives. nested Block nested archives. mailbomb Block mail bomb archives. fileslimit Block exceeded archive files limit. timeout Block scan timeout. unhandled Block archives that FortiOS cannot open. set archive-log {option} Select the archive types to log. encrypted Log encrypted archives. corrupted Log corrupted archives. partiallycorrupted Log partially corrupted archives. multipart Log multipart archives. nested Log nested archives. mailbomb Log mail bomb archives. fileslimit Log exceeded archive files limit. timeout Log scan timeout. unhandled Log archives that FortiOS cannot open. set emulator {enable | disable} Enable/disable the virus emulator. set outbreak-prevention {disabled | files | full-archive} Enable FortiGuard Virus Outbreak Prevention service. disabled Disabled. files Analyze files as sent, not the content of archives. full-archive Analyze files including the content of archives. config smb set options {scan | avmonitor | quarantine} Enable/disable SMB AntiVirus scanning, monitoring, and quarantine. scan Enable SMB antivirus scanning. avmonitor Enable SMB antivirus logging. quarantine Enable SMB antivirus quarantine. Files are quarantined depending on quarantine settings. set archive-block {option} Select the archive types to block. encrypted Block encrypted archives. corrupted Block corrupted archives. partiallycorrupted Block partially corrupted archives. multipart Block multipart archives. nested Block nested archives. mailbomb Block mail bomb archives. fileslimit Block exceeded archive files limit. timeout Block scan timeout. unhandled Block archives that FortiOS cannot open. set archive-log {option} Select the archive types to log. encrypted Log encrypted archives. corrupted Log corrupted archives. partiallycorrupted Log partially corrupted archives. multipart Log multipart archives. nested Log nested archives. mailbomb Log mail bomb archives. fileslimit Log exceeded archive files limit. timeout Log scan timeout. unhandled Log archives that FortiOS cannot open. set emulator {enable | disable} Enable/disable the virus emulator. set outbreak-prevention {disabled | files | full-archive} Enable FortiGuard Virus Outbreak Prevention service. disabled Disabled. files Analyze files as sent, not the content of archives. full-archive Analyze files including the content of archives. config nac-quar set infected {none | quar-src-ip} Enable/Disable quarantining infected hosts to the banned user list. none Do not quarantine infected hosts. quar-src-ip Quarantine all traffic from the infected hosts source IP. set expiry {string} Duration of quarantine. set log {enable | disable} Enable/disable AntiVirus quarantine logging. config content-disarm set original-file-destination {fortisandbox | quarantine | discard} Destination to send original file if active content is removed. fortisandbox Send original file to configured FortiSandbox. quarantine Send original file to quarantine. discard Original file will be discarded after content disarm. set office-macro {disable | enable} Enable/disable stripping of macros in Microsoft Office documents. set office-hylink {disable | enable} Enable/disable stripping of hyperlinks in Microsoft Office documents. set office-linked {disable | enable} Enable/disable stripping of linked objects in Microsoft Office documents. set office-embed {disable | enable} Enable/disable stripping of embedded objects in Microsoft Office documents. set pdf-javacode {disable | enable} Enable/disable stripping of JavaScript code in PDF documents. set pdf-embedfile {disable | enable} Enable/disable stripping of embedded files in PDF documents. set pdf-hyperlink {disable | enable} Enable/disable stripping of hyperlinks from PDF documents. set pdf-act-gotor {disable | enable} Enable/disable stripping of links to other PDFs in PDF documents. set pdf-act-launch {disable | enable} Enable/disable stripping of links to external applications in PDF documents. set pdf-act-sound {disable | enable} Enable/disable stripping of embedded sound files in PDF documents. set pdf-act-movie {disable | enable} Enable/disable stripping of embedded movies in PDF documents. set pdf-act-java {disable | enable} Enable/disable stripping of actions that execute JavaScript code in PDF documents. set pdf-act-form {disable | enable} Enable/disable stripping of actions that submit data to other targets in PDF documents. set cover-page {disable | enable} Enable/disable inserting a cover page into the disarmed document. set detect-only {disable | enable} Enable/disable only detect disarmable files, do not alter content. set av-virus-log {enable | disable} Enable/disable AntiVirus logging. set av-block-log {enable | disable} Enable/disable logging for AntiVirus file blocking. set extended-log {enable | disable} Enable/disable extended logging for antivirus. set scan-mode {quick | full} Choose between full scan mode and quick scan mode. quick Use quick mode scanning. Quick mode uses a smaller database and may be less accurate. Full mode is recommended. full Full mode virus scanning. Recommended scanning mode. More accurate than quick mode with similar performance. next end
Additional information
The following section is for those options that require additional explanation.
analytics-bl-filetype {1 | 2 | <filepattern_id>}
Note: This entry is only available when ftgd-analytics is set to either suspicious or everything.
File type pattern to blocklist and submit to FortiGuard Analytics:
- 1: Builtin patterns
- 2: All executables
- <filepattern_id>: Identifier of a defined filepattern. See DLP filepattern for more information.
analytics-db {enable | disable}
Enable or disable (by default) using antivirus signatures from the FortiSandbox's database as well as signatures from the FortiGate.
analytics-max-upload <mb>
Note: This entry is only available when ftgd-analytics is set to either suspicious or everything.
Maximum file size that can be scanned in
megabytes. Set the value between 1-200. The default value is set to 10
.
analytics-wl-filetype {1 | 2 | <filepattern_id>}
Note: This entry is only available when ftgd-analytics is set to either suspicious or everything.
File type pattern to allowlist and submit to FortiGuard Analytics:
- 1: Builtin patterns
- 2: All executables
- <filepattern_id>: Identifier of a defined filepattern. See DLP filepattern for more information.
av-block-log {enable | disable}
Enable (by default) or disable logging files that are blocked by antivirus.
av-virus-log {enable | disable}
Enable (by default) or disable logging for antivirus scanning.
ftgd-analytics {disable | suspicious | everything}
Choose which files are sent to FortiSandbox for further inspection. Select between the following options:
- disable: No files are sent for inspection (set by default).
- suspicious: Files that the antivirus engine deems suspicious as sent for inspection.
- everything: All files are sent for inspection.
inspection-mode {proxy | flow-based}
Set the inspection mode. Select between the following options:
- proxy: Scanning reconstructs content passing through the FortiGate unit and inspects the content for security threats.
- flow-based: Scanning takes a snapshot of content packets and uses pattern matching to identify security threats in the content (set by default).
mobile-malware-db {enable | disable}
Enable (by default) or disable using antivirus signatures from the mobile malware signature database as well as signatures from the FortiGate.
replacemsg-group <group-name>
Set a replacement message group to use with antivirus scanning.
scan-mode {quick | full}
Note: This entry is only available when inspection-mode is set to flow-based.
Choose which scan mode to use for antivirus inspection. Select from the following options:
- quick: This mode uses a compact antivirus database and advanced techniques to improve performance.
- full: In this mode, content packets are buffered while simultaneously being sent to their destination (set by default).
config {http | ftp | imap | pop3 | smtp | mapi | nntp | smb}
Note: MAPI and NNTP are not configurable for all FortiGate models.
Configure how this profile handles specific protocols.
archive-block {encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled}
Set which types of archived files to block.
archive-log {encrypted | corrupted | partiallycorrupted | multipart | nested | mailbomb | fileslimit | timeout | unhandled}
Set which types of archived files to log.
content-disarm {enable | disable}
Note: This entry is only available when inspection-mode
of the profile is set to proxy
.
Enable or disable (by default) Content Disarm and Reconstruction (CDR) for this protocol. CDR is used to remove exploitable content and replace it with content that is known to be safe. As the files are processed through an enabled Proxy-based AntiVirus profile, content that is deemed malicious or unsafe is replaced with content that will allow the traffic to continue, but not put the recipient at risk. Archived ZIP folders can also be processed.
The use of CDR is enabled or disabled separately for each protocol in the profile. This feature is not supported for FTP or MAPI.
Once enabled, a warning will appear showing that all original files subjected to CDR will be discarded. Use the config content disarm
configuration method to set various CDR options, including the original-file-destination
in order to retrieve the original files.
emulator {enable | disable}
Enable (by default) or disable the virus emulator.
executables {default | virus}
Note: This entry is only available when configuring IMAP, POP3, SMTP, and MAPI.
Set how this profile treats executable files sent with this protocol. Select from the following options:
- default: Perform standard antivirus scanning (set by default).
- virus: Treat executable files as viruses.
options {scan | avmonitor | quarantine}
Set an action to apply to traffic using this protocol. Select from the following options:
- scan: Scan files transferred using this protocol for viruses.
- avmonitor: Log detected viruses, but allow them through the firewall without modification.
- quarantine: Quarantine files that contain viruses. This feature is available for FortiGates with a hard disk or those connected to a FortiAnalyzer.
config nac-quar
Configure the quarantine settings for this profile.
expiry <duration>
Note: This entry is only available when infected is set to quar-src-ip.
Set the duration of the quarantine in the days, hours, minutes format <###d##h##m>
. The default is 5 minutes.
infected {none | quar-src-ip}
Set which infected hosts are added to the banned user list. Select from the following options:
- none: No hosts are banned (set by default).
- quar-src-ip: All traffic from the source IP is banned.
log {enable | disable}
Enable or disable (by default) logging for antivirus quarantines.
config content disarm
Use this configuration method to set AntiVirus CDR settings, including an original file destination for files to be sent to (if not discarded), and enable or disable stripping of various content such as hyperlinks and embedded objects in various document types.